Articles

Upgrade Falco to a New Version Safely (2026)

April 16, 2026 5 min read

Falco, the real-time threat detection engine for Kubernetes, is surprisingly good at detecting its own operational issues, but upgrading it can still feel like a delicate dance. The core challenge isn’t just replacing binaries; it’s ensuring your detection rules, which are the heart of Falco’s intelligence, remain compatible and effective across versions.

Let’s say you’re moving from Falco 0.17.0 to 0.18.0. The usual path involves stopping the old Falco, installing the new one, and restarting. But before you touch anything, grab a snapshot of your current Falco configuration and rules.

# Example: Backup current Falco config and rules
sudo cp -r /etc/falco /etc/falco.bak_$(date +%Y%m%d_%H%M%S)

Now, let’s get the new Falco. If you’re using the official Debian/Ubuntu package repository:

# Add the new repository if necessary (check Falco docs for current repo URLs)
sudo curl -s https://falco.org/repo/deb/ | sudo tee /etc/apt/sources.list.d/falco.list
sudo apt update
sudo apt install falco=<new_version_number>

For example, to install 0.18.0:

sudo apt install falco=0.18.0

Once installed, the new Falco service will likely start automatically. Before you declare victory, check its status:

sudo systemctl status falco

Look for any immediate errors. The most common pitfall is rule compatibility. Falco’s rule syntax and available fields can evolve. A rule that worked perfectly in 0.17.0 might be invalid or behave unexpectedly in 0.18.0 due to changes in how kernel events are parsed or new fields being introduced.

Diagnosis Command: The primary tool here is falco-rules.py, which comes with Falco. This script analyzes your rules files against the currently loaded Falco version.

# Navigate to your rules directory (adjust path if needed)
cd /etc/falco/rules.d/

# Run the rules checker against the installed Falco
sudo falco-rules.py --rules-dir . --output-file /tmp/falco_rules_check.log

Common Cause 1: Rule Syntax Incompatibility

  • Diagnosis: The falco-rules.py output will highlight specific lines in your custom rules files (.yaml) that have syntax errors or use deprecated fields. Look for messages like "Syntax error" or "Unknown field".
  • Fix: Consult the Falco release notes for the version you’re upgrading to. They detail breaking changes in rule syntax and field names. For instance, a field like proc.exe might have been renamed to proc.name in a newer version. You’ll need to manually edit your .yaml files to reflect these changes. For example, changing proc.exe to proc.name in your rule.
  • Why it works: This directly updates your rules to match the parser’s expectations in the new Falco version, ensuring events are correctly evaluated.

Common Cause 2: Deprecated Fields or Functions

  • Diagnosis: Similar to syntax errors, falco-rules.py might flag usage of fields or functions that are no longer supported or have been replaced. The output will indicate which specific field/function is deprecated.
  • Fix: Find the replacement field or function in the Falco documentation or release notes and update your rules accordingly. If a field was removed entirely, you might need to rethink how you detect that specific event, potentially by combining multiple other fields. For example, if fd.name is deprecated, you might need to use fd.path and fd.type instead.
  • Why it works: By using current, supported fields and functions, you ensure Falco can correctly interpret event data and trigger alerts.

Common Cause 3: Missing Kernel Module or eBPF Driver

  • Diagnosis: If Falco is running but not generating any events, or generating far fewer than expected, check if the kernel module or eBPF probe is loaded.
    lsmod | grep falco  # For kernel module
# For eBPF, check /sys/kernel/debug/tracing/events/falco/ or use bpftool
bpftool prog show --name | grep falco
  • Fix: If the module/probe isn’t loaded, you might need to reinstall it. The falco-driver-loader utility typically handles this.
    sudo /usr/bin/falco-driver-loader install
sudo systemctl restart falco
  • Why it works: The kernel module/eBPF probe is Falco’s eyes and ears, capturing system calls. Without it, Falco is blind.

Common Cause 4: Incompatible falco.yaml Configuration

  • Diagnosis: While less common for minor version bumps, major changes in falco.yaml options can occur. Check Falco’s logs (journalctl -u falco) for errors related to loading the configuration file.
    sudo falco --validate-config
  • Fix: Review the falco.yaml file for any parameters that have been removed, renamed, or changed their expected value type. Update them according to the new version’s documentation. For example, if log_level was changed to log.level, you’d update that line.
  • Why it works: Ensures Falco’s internal settings, like logging verbosity or output destinations, are correctly parsed and applied.

Common Cause 5: Rule File Permissions/Ownership

  • Diagnosis: Falco might fail to start or load specific rules if it doesn’t have read permissions on its rule files or configuration.
    sudo falco --show-rules
    If this command hangs or errors, check permissions.
  • Fix: Ensure the falco user (or the user Falco runs as) has read access to /etc/falco/ and all files within /etc/falco/rules.d/.
    sudo chown -R falco:falco /etc/falco
sudo chmod -R u+r,g+r,o-r /etc/falco
  • Why it works: Falco needs to read its rule definitions to function, and proper file permissions are a prerequisite for that.

Common Cause 6: Resource Constraints (especially on Kubernetes)

  • Diagnosis: If Falco is crashing or restarting sporadically, especially under load, it might be hitting resource limits. Check kubectl describe pod <falco-pod-name> -n <falco-namespace> for OOMKilled events or resource warnings.
  • Fix: Increase the CPU and memory requests/limits for the Falco DaemonSet or deployment in your Kubernetes cluster. For example, changing resources.limits.memory from 200Mi to 500Mi.
  • Why it works: Falco, especially with complex rules and high event volumes, can be resource-intensive. Providing adequate resources prevents it from being terminated by the container orchestrator.

After successfully upgrading and verifying your rules, the next hurdle you’ll likely encounter is fine-tuning new alerts generated by features introduced in the newer version, or dealing with increased alert volume due to subtle behavioral changes in the system being monitored.

Want structured learning?

Take the full Falco course →